I've successfully connected to my Azure AD within Ignition Gateway by defining an OpenID Connect Identity Provider. When i test my login, i get the idTokenClaims, tokenEndpointResponse, userInfo. Of course i added GroupMember.Read.All, openid, profile within the scopes.
Within my idTokenClaims i get a "groups" section with some GUID like which correspond to my Azure AD Groups i've defined.
My question is: Since User Source defined in the gateway define the Roles, and that Ignition doesn't let me define an Azure AD as a User Source to get these roles, how do i manage to know the roles for each users? I understand that at the IDP i can right-click on User Grants, and create them One by One, but it's not really efficient since these informations can already be found in the Azure AD. There must be something i'm missing.
Any hint/instructions would be appreciated.
Thanks you
1 Like
Your roles in your Ignition user source won't necessarily line up with what's in Azure AD. Make sure the user attribute mapping for idTokenClaims path to your "groups" is configured properly for the Roles user attribute.
The way I like to do it is to create custom security levels outside of the Roles which are the standard levels I use in all of my design, then define security level rules for the identity provider to map those user groups/roles over to my custom security levels. This way my projects can be reused between customers without having to rework everything based on how they define their group/role names.
1 Like
Azure AD is not able to provide the group names unless you have a hybrid setup, so I call a script to get the group names via script in the mapping, so my mapping for roles calls the expression:
runScript('AzureAdMappings.GetGroupNames', 0, {multi-attribute-source:authnResponse:/saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://schemas.microsoft.com/ws/2008/06/identity/claims/role']/saml2:AttributeValue/text()})
In that script, I lookup the group names from a dataset tag holding the azure groups. If a group with matching id is not found in the tag, then the script updates the tag from Azure and tries again. This way, new groups are handled (the tag is updated) when users log in.
I then have security levels defined that match the groups I am interested in providing permissions for
1 Like
Sorry for the delay on this post. I had an environment which didn't reflect the reality since i had no On Prem synchronized with Azure AD.
This is exactly what i've discovered yesterday Chris. I've done the test with the customer environment which is synchronized and when i did the Test Login, i was receiving the Roles Names, not their GUID.
The only problem with this is that if new groups are added, we have to fill them within this structure that you have defined, but it's not a major issue since this doesn't change much. It's just sad that Ignition is not 100% there yet for Azure AD. I'm fairly a novice for Ignition so i thought i was missing something.
Thanks for your help to both of you.